Failing to block a stealthy malicious host from making connections to your network could cost your company millions of dollars, a damaged reputation, and severe losses in sensitive private data.

Threat intel teams have faced on-going problems:

Expensive feeds that are slow to catch new threats

Chasing false positives in alerts wastes time and money

Vendors selling a new appliance for every ill

Would 100% of your users Spot the Bot?

Sophisticated security professionals wouldn't be fooled, yet what about some of your endpoint users? Long, confusing subdomains have been successfully used by crooks for over a decade. More of these dangerous hostnames are created every day due to increased value for compromised accounts. Even social media accounts are now seen by criminals as providing a high concentration of valuable personal information. Control of a Facebook account for example, can enable access to payment methods, impersonation of executives or IT staff, and security question answers useful for breaking into higher value accounts.

Once a user's account is compromised, corporate assets they have access to may be exfiltrated by criminals who can now intercept multi-factor tokens for administrator privilege systems.

PRELIMINARY RESEARCH:

8 out of 10 Malicious Hostnames Go Active in First 48 hours After Creation

You can prove or disprove this assertion [1] by checking the validity for your own network, with the data that matters — your own. Take a look at the last 5 - or 10 - or 100 - malicious hostnames involved in infections, breaches, or clicks on phish at your own company.

How much time passed between creation of the malicious hostname - and when the malicious action first took place on your network? Don't average the results - bucket them by days because those buckets will lead you to a winning threshold strategy. You can then apply this strategy to identify and protect from the malicious methods represented by each time constrained bucket. [2]

Using this preliminary research or your own data, here's an example of transforming the initial conundrum into an opportunity to add a solid network protection layer.

Global Conundrum of Doom:

New hostnames flow freely through your network because:

Large number of new subdomains are not malicious and are needed for business activity

Content Distribution Network (CDN) hostnames

Cloud service hostnames

Campaign tracking hostnames

Threat feeds you buy won't list the newest malicious hostnames until it's too late - some malware has already been dropped into your systems

Transform the Problem into a Low Cost High ROI Solution:

The same data point that gives criminals the advantage over you - you've never seen the hostname before - so you don't know to block it - can be turned on its head to give you the advantage over the criminals.

Let's say you've never seen the hostname before, and it's not from a common CDN or business cloud service. You don't need to trust this new hostname, not in the first 48 hours of life.

Add rules to your existing network appliance to:

Block hostnames created less than NN hours ago

Exception for new hostnames based on a small whitelist

Continue using your best threat feeds to cover old/slow hostnames

How many hours should you use for NN? Ideally base this on your own network data and experience. 48 hours may be a place to start - just remember to stay flexible in case the criminal element or new legitimate services change tactics.

Increase Confidence Levels Using Global Passive DNS

Your own network data is the best data to develop protections relevant to your enterprise. At the same time, you need to do external validation of data points such as "when was a hostname first seen in the global DNS". Check the hostnames seen in your network - known good, unknown, or known bad - against what the rest of the world sees.

It's a quick study to get a "hostname age" data point for the hostnames seen in your corporate network for a day, a week, or even an hour based on your equipment or limitations. At the request of a customer, Zetalytics recently created an ad hoc UDP query service that accepts a hostname and instantly returns the date it was first seen.

Unlike "domain age" services based on slow whois queries - a query service for hostname age works for the vast array of malicious subdomains such as those based on dynamic DNS providers, free services that attract and harbor criminals, as well as providing solid and reliable knowledge for base domains you should whitelist.

When selecting a passive DNS data source, test for global geographic diversity as well as customer type diversity. Check that the type of hostname visibility matches your needs, ensuring that it is a good mix of enterprise vs consumer and has great coverage in the countries where your company does business.

Conclusion:

Whether you roll your own, outsource to a service, or go down the middle with expert advice and training to help your team best utilize your own network data - there are golden opportunities for network protection from the newest malicious hostnames on your network. Hostnames so new - even your best threat intel feeds haven't found them yet.

RESOURCES: Contact fredt@zetalytics.com to join a slack channel community collaborating on research and results about new malicious hostnames. We have ongoing discussions with other compliance and security professionals looking into similar parameters for their network, how to conduct the research, and what results people are seeing.

By April Lorenzen, Chief Data Scientist at Zetalytics. April is an Internet security researcher specializing in the preemptive discovery of miscreant and crimeware resources in the domain name system. She is the primary architect of the free open source data visualization tool "Mal4s” as well as operating IoC security feeds continuously since 2004, overseeing one of the world's most geographically diverse passive DNS systems in her work as Chief Data Scientist at Zetalytics.